News

Properly managing sensitive information to maintain privacy and security has become paramount in recent years. Today, pharmaceutical companies and medical device manufacturers are increasingly using the Internet to broaden their services making compliance with FDA regulation even more important.

Electronic Records and Signatures Defined

Under normal circumstances electronic records are an amalgamation of data, text, audio, graphics, and images that are created, archived, modified, retrieved, maintained, and distributed via a computerized system.

Electronic signatures are computerized data complied of symbols that can be adopted, executed, or authorized like a legally binding handwritten signature.

The regulations that surround electronic records and signatures may only cover the minimum requirements for implementation. Therefore, it’s really up to the organization to make their systems more secure.

What Part 11 Really Means

So far, Part 11 has been perceived to be quite broad and this has created some confusion. In some cases, it has led to unnecessary expenses and controls. Misperceptions about the regulation can stifle technological advances and innovations.

If you narrow it down, the crux of Part 11 is as follows:

If electronic records are used in a controlled environment instead of paper, Part 11 will be applicable

If devices are used to generate printouts of electronic records (and the paper printouts meet all applicable FDA rules) and staff only rely on paper records to carry out regulated functions, this would not be considered as “using electronic records in lieu of paper records.” As a result, Part 11 would not be triggered on this occasion

Often, real-world business practices determine whether you are using electronic records and not paper records. For example, if you use a computer to generate paper records but rely on electronic records to conduct regulated activities, then the FDA will, most probably, consider it to be an electronic record and not a paper record.

The best way to approach compliance with Part 11 is to first figure out whether your company plans on relying on paper records or electronic records to carry out regulated activities. Further, to be on the safe side, it is important to document these decisions and steps in a specification document and / or in a Standard Operating Procedure (SOP).

Validation of Electronic Records

The FDA will enforce specific Part 11 requirements for validation of computerized systems at its own discretion. Before you decide to validate computer systems within your organization, first determine the impact the system will have on your ability to stay compliant.

It’s also important to note that even if there aren’t any established requirements to validate current systems, it might still be important to validate it. The best way to approach this issue is to perform a detailed risk assessment. It’s the best way to ensure that the system does not affect your product safety, quality, and record integrity.

Maintain Audit Trails

The FDA will also exercise discretion on time-stamped, computer-generated audit trails. As a result, individuals need to ensure that changes to records do not confuse the time, sequence of events, or previous entries.

Audit trails are usually mandatory when users of the system are expected to create, modify, or delete regulated records.

Legacy Systems

For systems that were already in operation before August 20, 1997, the agency plans to exercise discretion for all Part 11 requirements. In other words, the agency will not take action if the system falls under the following criteria:

The system was operational before August 20, 1997

The system was compliant before the effective date

Availability of documented evidence justifying the system as appropriate for intended use

The system currently meets all applicable requirements

If the system has been updated since the effective date, Part 11 controls need to be applied to electronic records and signatures pursuant to enforcement requirements.

Maintenance of Records

Whenever there’s an inspection, you will be required to provide useful and reasonable access to copies of records.

It’s best to provide copies of electronic records in portable formats like the following:

PDF

XML

SGML

Throughout the record retention period, protected data needs to be easily accessible and reliable. Again, it’s best to base your decision on record retention on a risk assessment and on established rules.

Although Part 11 may seem broad and confusing in some instances, it is, in fact, quite specific and narrow. If you need help with Part 11 or any other compliance regulation, contact GxP-CC. Armed with decades of practical experience, GxP-CC consultants can help tailor your practices to stay compliant and efficient.

About this author:

Dr. Macartney began his career within the medical device and pharmaceutical fields where he was involved in research and development before moving to the central computer division of the company’s research division located in Upper Bavaria, Germany. In 1996 he started his career in the consulting industry. An industry-wide recognized expert who has issued various publications supporting industry standards, Dr. Macartney is also referenced by the National Academy of Sciences.